2.13.2. RADIUS
IEEE 802.1x Port-Based Network Access Control is a standard for solving some security issues asso- ciated with IEEE 802.11, such as lack of user-based authentication and dynamic encryption key dis- tribution. With IEEE 802.1x, a RADIUS (Remote Authentication Dial-In User Service) server, and a user account database, an enterprise or ISP (Internet Service Provider) can manage its mobile users’ access to its wireless LANs. Before granting access to a wireless LAN supporting IEEE 802.1x, a user has to issue his or her user name and password or digital certificate to the backend RADIUS server by EAPOL (Extensible Authentication Protocol Over LAN). The RADIUS server can record ac- counting information such as when a user logs on to the wireless LAN and logs off from the wireless LAN for monitoring or billing purposes.
The IEEE 802.1x functionality of the access point is controlled by the security mode (see Section 2.12.2.1). So far, the wireless access point supports two authentication mechanisms—EAP-MD5 (Message Digest version 5), EAP-TLS (Transport Layer Security). If EAP-MD5 is used, the user has to give his or her user name and password for authentication. If EAP-TLS is used, the wireless client computer automatically gives the user’s digital certificate that is stored in the computer hard disk or a smart card for authentication. And after a successful EAP-TLS authentication, a session key is auto- matically generated for wireless packets encryption between the wireless client computer and its asso- ciated wireless access point. To sum up, EAP-MD5 supports only user authentication, while EAP-TLS supports user authentication as well as dynamic encryption key distribution.
Fig. 88. IEEE 802.1x and RADIUS.
The IWE3200-Hsupports IEEE 802.1x and can be configured to communicate with two RADIUS servers. When the primary RADIUS server fails to respond, the IWE3200-Hwill try to communicate with the secondary RADIUS server. You can specify the length of timeout and the number of retries before communicating with the secondary RADIUS server after failing to communicate with the pri- mary RADIUS server.
An IEEE 802.1x-capable wireless access point and its RADIUS server(s) share a secret key so that they can authenticate each other. In addition to its IP address, a wireless access point can identify it- self by an NAS (Network Access Server) identifier. Each IEEE 802.1x-capable wireless access point must have a unique NAS identifier.
55
